Tuesday, June 30, 2015

Control Engineering 2015 Cyber Security Study

Yesterday I posted a review of the recent SANS State of Industrial Control Systems Survey.  You can find that posting here.

Today I'd like to tell you about another interesting and equally disconcerting survey about the status of today's industrial control system security posture.

Each year Control Engineering Magazine conducts a survey of its readers to evaluate cyber security implementation, resources and training for industrial control systems.  Their 2015 Cyber Security report was issued this June.  A summary of the study posted by Control Engineering is located here.

The Control Engineering report is essentially in presentation format and has a collection of graphs and data relative to the data collected.  It is a pretty easy and quick read and offers similar data to the SANS Survey.

Statistics and Findings

The Control Engineering analysis included data collected from 284 respondents in the first quarter of 2015.  The report includes the following summary findings:

1.  Threat Levels:  47% of respondents perceive their control systems to be "moderately" threatened by cyber attacks.  25% say theirs is "highly" threatened and 8% are at the "severe" threat level.

2.  Most Concerning Threat:  Their responses included:

  • 35% view the most concerning threat is malware from a random source
  • 18% worried about loss of intellectual property
  • 8% fear attacks from "hacktivists" with political or environmental agendas.
3.  Most Vulnerable System Components:  The components of most concern include:
  • Connections to other internal systems (SANS is similar)
  • Computer assets running commercial operating systems (Same as SANS)
  • Network devices
  • Wireless communication devices and protocols
  • Connections to the field SCADA networks
4.  Vulnerability Assessments:  39% of those surveyed said their last vulnerability assessment was performed within the last six months (Good!); while 16% have never executed one (Not So Good).

5.  Publicly Reporting Incidents:  66% of those surveyed say publicly reporting cyber-related incidents would benefit the industry.  36% agree that the biggest problem with public reporting is the fear of losing consumer confidence.

6.  Resources Used to Monitor Control System Cyber Security Events:
  • Anti-virus software (99%)
  • Network logs (89%)
  • Firewall logs (89%)
  • Intrusion Detection/Prevention (84%)
  • Whitelisting (76%)

Overall this is a useful survey to examine and as I noted for the SANS ICS Security Survey, these reports should be reviewed and digested by security professionals responsible for ICS security and shared with their executive management to show them that security is a concern and should be theirs, too.


Monday, June 29, 2015

State of Industrial Control Systems Security - A SANS Survey

This month the SANS Institute published its annual State of Security in Control Systems Today.  The results were prepared by Messrs. Derek Harp (SANS) and Bengt Gregory-Brown (Sable Lion Ventures LLC).

You can download the report from the SANS Reading Room at:  https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042 

Some Thoughts...

The report is a quick and useful read.  I'd highly recommend that not only ICS Security Professionals read and digest this report but also it be shown to the skeptical executives in their organization.

So, here are some key bullets gleaned from my read:

  • Top four concerns by those surveyed include:
    • Ensuring reliability and availability (68%)
    • Lowering risk/improving security (40%)
    • Preventing damage (28%)
    • Ensuring health and safety (27%)
  • Rapid detection of security incidents on ICS is key because the longer the breaches remain unknown, the greater the potential impact.
  • The integration of IT into control system networks was chosen by 19% of respondents as the single greatest threat vector.  The top three threat vectors were a) External Threat, b) Internal Threat, and c) Integration of IT into the Control System Networks.
  • 74% of respondents believe that their external connections are not fully documented.  (Ugh!)  Simply identifying and detailing connections and attached devices in a network is a key step to securing it.
  • Another challenge highlighted in the survey is a lack of visibility into control system equipment and network activity.  Thus this inhibits progress in securing assets and decreases activity in accuracy of self-evaluations.
Read the Margin Notes!

One editorial and formatting aspect of the report I liked was inclusion of marginal notes called TAKEAWAYs.  These notes are useful helpful ideas for the ICS security person to implement -- or at least consider -- when trying to protect their ICS systems.  A few examples of the TAKEAWAYs are:
  • Know what is normal.  Lack of visibility into control system networks is one of the greatest barriers to securing these resources.  Without awareness of normal communications and activity, it's impossible to properly evaluate or improve security of assets.  Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches.
  • Gain visibility into control system networks.  Map all devices, physical interconnections, logical data channels and implemented ICS protocols among devices, including read coils, write registers, scans and time stamps.  Establish a fingerprint of normal control network activity and communication, including communication patterns, schedules and protocols.  Then, establish device logging, strict change management and automated log analysis based on your baseline data.
  • Integrate security into procurement and decommissioning processes.  Establishing security of software or devices is cheaper, easier and more effective prior to deployment.  The burden of maintaining security is lighter when you start from a secure state.  And, security should be included in the decommissioning and removal of devices to avoid opening serious vulnerabilities.
Again, a great job by SANS, Derek and Bengt!  Take the time to download and read this report and take advantage of the ideas to improve the security of your ICS networks.


Friday, June 5, 2015

NIST Publishes Updated ICS Security Guide (Rev 2)

Just a quick note...

NIST Announced today that they have published Rev 2 of the Guide to Industrial Control Systems (ICS) Security SP 800-82!

Great news!  This is a super document to use as a daily reference for ICS security and general knowledge and a great starting point for those who want to learn more about ICS.

You can read more about this release at:  http://www.nist.gov/el/isd/201506_ics_security.cfm

You can download the document (for Free) at:  http://dx.doi.org/10.6028/NIST.SP.800-82r2